The very very very first step is to ensure security is even a priority by management and whoever leads the team - and each developer. Nothing else matters if there's no culture around these issues.
It needs to be one of the first clear goals that the team values security and will, therefore, allocate time for testing, learning, tooling, etc.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.